Best practices for AWS Control Tower administrators - AWS Control Tower

Best practices for AWS Control Tower administrators

This topic is intended primarily for management account administrators.

Management account administrators are responsible for explaining some tasks that AWS Control Tower controls prevent their member account administrators from doing. This topic describes some best practices and procedures for transferring this knowledge, and it gives other tips for setting up and maintaining your AWS Control Tower environment efficiently.

Explaining access to users

The AWS Control Tower console is available only to users with the management account administrator permissions. Only these users can perform administrative work within your landing zone. In accordance with best practices, this means that the majority of your users and member account administrators will never see the AWS Control Tower console. As a member of the management account administrator group, it's your responsibility to explain the following information to the users and administrators of your member accounts, as appropriate.

  • Explain which AWS resources that users and administrators have access to within the landing zone.

  • List the preventive controls that apply to each organizational unit (OU) so that the other administrators can plan and execute their AWS workloads accordingly.

Explaining resource access

Some administrators and other users may need an explanation of the AWS resources to which they have access to within your landing zone. This access can include programmatic access and console-based access. Generally speaking, read access and write access for AWS resources is allowed. To perform work within AWS, your users require some level of access to the specific services they need to do their jobs.

Some users, such as your AWS developers, may need to know about the resources to which they have access, so they can create engineering solutions. Other users, such as the end users of the applications that run on AWS services, do not need to know about AWS resources within your landing zone.

AWS offers tools to identify the scope of a user's AWS resource access. After you identify the scope of a user's access, you can share that information with the user, in accordance with your organization's information management policies. For more information about these tools, see the links that follow.

  • AWS access advisor – The AWS Identity and Access Management (IAM) access advisor tool lets you determine the permissions that your developers have by analyzing the last timestamp when an IAM entity, such as a user, role, or group, called an AWS service. You can audit service access and remove unnecessary permissions, and you can automate the process if needed. For more information, see our AWS Security blog post.

  • IAM policy simulator – With the IAM policy simulator, you can test and troubleshoot IAM-based and resource-based policies. For more information, see Testing IAM Policies with the IAM Policy Simulator.

  • AWS CloudTrail logs – You can review AWS CloudTrail logs to see actions taken by a user, role, or AWS service. For more information about CloudTrail, see the AWS CloudTrail User Guide.

    Actions taken by AWS Control Tower landing zone administrators are viewable in the landing zone management account. Actions taken by member account administrators and users are viewable in the shared log archive account.

    You can view a summary table of AWS Control Tower events in the Activities page.

Explaining preventive controls

A preventive control ensures that your organization's accounts maintain compliance with your corporate policies. The status of a preventive control is either enforced or not-enabled. A preventive control prevents policy violations by using service control policies (SCPs). In comparison, a detective control informs you of various events or states that exist, by means of defined AWS Config rules.

Some of your users, such as AWS developers, may need to know about the preventive controls that apply to any accounts and OUs they use, so they can create engineering solutions. The following procedure offers some guidance on how to provide this information for the right users, according to your organization's information management policies.


This procedure assumes you've already created at least one child OU within your landing zone, as well as at least one AWS IAM Identity Center user.

To show preventive controls for users with a need to know
  1. Sign in to the AWS Control Tower console at

  2. From the left navigation, choose Organization.

  3. From the table, choose the name of one of the OUs for which your user needs information about the applicable controls.

  4. Note the name of the OU and the controls that apply to this OU.

  5. Repeat the previous two steps for each OU about which your user needs information.

For detailed information about the controls and their functions, see About controls in AWS Control Tower.